Cybersecurity by Denise Villarreal: Computer Fraud and Abuse Act

Defendant was convicted of aiding and abetting the accessing without authorization of a protected computer. On appeal, certiorari was denied. 551 U.S. 1154 (2007).

Court held that the crime of accessing a protected computer without authorization (18 USC 1030) *only* requires proof the defendant accessed information from a protected computer with intent. It does not matter what the purpose or whether the defendant knew the value of the information accessed.

Defendant found guilty under CFAA when he disrupted a police department's computer-based radio system creating public safety problems by preventing police communication. "Threat against public health or safety" 1030(a)(5).

Defendant convicted under 18 USC 1030 ("Obtaining Access with Intent to Defraud & Obtain Value") when he used a lottery terminal to produce backdated tickets with winning numbers and submitted them for collection of the money.

Defendant conviceted under section 1030(a)(5)(A) of CFAA (1988) for accessing a "Federal interest computer" sans authorization by means of a worm he designed to test the security of computer networks. The worm code copied itself into computer systems and reproduced and due to a defect it replicated at a very fast rate, shutting down computer systems throughout the US.

Defendant's illegal possession of out of state credit card account numbers is an offense affecting interstate or foreign commerce. 1030(a)(6)(B)

Vice-President accessed a customer spreadsheet and emailed it from his work email to his private email account and then used it at a trade show for personal financial gain against the company's interests.

Court held that:
* Employee "exceeds authorized access" when goes beyond authorized access but maintains duty of loyalty to the company, 18 USC 1030(e)(6);
* "Without authorization" means the person accesses a computer without permission who was never granted access or has been granted access as an agent of the owner which has been revoked on breaching duty of loyalty to the owner, 18 USC (e)(6) In this case, the VP accessed information he was allowed to access with the intent to use it in breach of his duty of loyalty to defraud the company, 18 USC (a)(4);
* A "protected computer" is one connected to interstate commerce and that the information accessed was of intrastate character does not matter. 18 USC (a)(2)(C)

Defendant with colleague (Goshkov of US v. Gorshkov, 2001 WL 1024026 (W.D. Wash. 2001)), both Russian citizens, hacked into networks of 20 US businesses and then contacted one such business via mail threatening to delete all data from the computers on the business's network unless the defendants were hired as security consultants to prevent future breaches. "Threatening to Damage a Computer with Intent to Extort" 1030(a)(7).

AOL brought action against NHCD alleging that NHCD hired e-mailers to send unauthorized and unsolicited bulk e-mail advertisements to ISP's customers, in violation of state and federal law. Court denied AOL's motion for summary judgment.

The court declared that for purposes of the CFAA, when someone sends an e-mail message, the message is transmitted through other computers until it reaches its destination. Therefore, the sender is making use of all of those computers, thus “accessing” them within meaning of the CFAA. Additionally, the court declared that AOL's goodwill was "something of value" and that damage to goodwill is actionable under the CFAA.

Toshiba's sale of laptop computers with allegedly defective software that erased floppy disks inserted in the computers was “transmission,” within meaning of CFAA provision prohibiting transmission of code which intentionally causes damage to protected computers. 18 USC 1030(a)(5)(A).

Section 1. "Aaron's Law Act of 2013"

Section 2. Clarifying that "access without authorization" means circumvention of thecnological barriers in order to gain unauthorized access.

Section 3. Repeal 1030(a)(4)

Section 4. Making penalties proportionate to crimes.

STATUS as of 7/25/2013: Read twice and referred to Committee on the Judiciary

The CFAA of 1986 was written to clarify and increase the scope of prior computer fraud legislation enacted under the Comprehensive Crime Control Act of 1984. the CFAA also limited federal jurisdiction and criminalized more computer-related acts including: distribution of malicious code, denial of service attacks, and trafficking in passwords.

The CFAA has been amended in 1988, 1989, 1990, 1994, 1996, 2000, 2002, & 2008. It was also amended in 2001 by the USA PATRIOT Act and in 2008 by the Identity Theft Enforcement and Restitution Act.

CCCA (18 U.S.C. 1030) was meant to fill in gaps the Wire & Mail Fraud provisions of the US Criminal Code could not address to combat computer crimes, specifically unauthorized access and use of computers and computer networks. This would prove insufficient and necessitated enacting a single piece of legislation to address computer crime, the CFAA of 1986 which significantly amended 18 U.S.C. 1030.

Prior to computer crime specific legislation, the US relied on provisions protecting against wire and mail fraud to address computer crimes leaving many potentially criminal situations without provisions to address them. This necessitated legislation to address computer-specific crime. Congress adopted a gap-filling measure, the Comprehensive Crime Control Act of 1984.